– The Data Inspectorate must intervene
Another leak of social security numbers leads only to shrugs from the responsible people at the university. The Student Parliament now demands that the Data Inspectorate carry through sanctions instead of only criticizing the management.
The Data Inspectorate are responsible when nothing happens when they keep forecasting sanctions they never carry out. Mari Helén Varøy, leader of the Student Parliament
On the occasion of a seminar the Department of Sociology and Human Geography last week sent out an email containing students´ social security numbers to people not concerned with the matter. The next day the 31 students affected received a request to block their credit cards.
– This is the third time in just over a year that something like this happens. That is at least two times too many, says Mari Helén Varøy, leader of The Student Parliament.
– Enough should be enough
The Data Inspectorate have at times used strong language when criticizing the culture of privacy protection at the university. The worst violation so far happened in 2006, when it turned out that several thousand social security numbers were published and stayed available online for almost a year. Varøy thinks that enough should be enough.
– The university can’t keep getting away with excuses when the guidelines obviously don’t cover all the parts of the system. The University Center of Information Technology USIT should react in a stronger manner, and if that doesn’t happen, then it’s time for The Data Inspectorate to intervene, says Varøy.
– The Inspectorate are out there criticizing, but they are also responsible when nothing happens when they keep forecasting sanctions they never carry out, Varøy adds.
A passive inspectorate
– We haven’t contributed with anything else than strong words so far because the only means of sanction we had to our disposal was to file a report. That would have been a bit too much, says information director in the Data Inspectorate Ove Skåra.
He thinks that if the case from 2006 had happened today, there is a strong possibility that the Inspectorate would have fined the university. In spite of this the Inspectorate chose to drop the case where 207 students by the Faculty of Theology in March got their social security numbers downloaded to a server in Asia, after a mistake done by the university. The consequence is that the students have to live in fear of identity theft the rest of their lives.
UiO refuses to apologize
– The university is as big as the city of Kristiansand. It’s close to impossible to prevent that smaller issues occur, says the director of the director for information systems, Arne Laukholm. He refuses to admit that the control routines are insufficient.
– If violations occur, then it’s due to fact that our provided information hasn’t reached all the employees who have access to social security numbers. There is nothing wrong with our routines, he says.
When requested to apologize on behalf of the management to the students who know have to block their credit cards, his answer is a ready no.
– The email reached the inboxes of only a few people who knew each other, and they probably won’t misuse the information.
Skåra in the Data Inspectorate still thinks it’s wrong to trivialize things like these when they happen once in a while, especially when it comes to the university’s history in this field.
– An apologize would have been appropriate, says Skåra.
Mari Helén Varøy shares this opinion.
– It sounds weird to me that the management refuses to apologize when the university inflicts extra work upon the students despite the fact that they have several times promised that things like that won’t happen again.
Emil Flatø • Torbjørn Sundal Holen (foto) • Translated by Ingrid F. Brubaker
